Juniper Configuration

Most proprietary switches provide a CLI for interactive use, but do not provide a mean of applying this configuration from a Unix command line

JunOS is proprietary, but provides a far better story:

1. A sandboxed FreeBSD 12 userland with OpenSSH
2. Tools for loading, merging and displaying the diff of a configuration

These are notes on configuring the Juniper EX2300-C-12P using rset(1).

USB console

Juniper switches can be accessed using a USB cable since have a built-in UART

uslcom0 at uhub0 port 4 configuration 1 interface 0 "Silicon Labs CP2104 USB to UART Bridge Controller" rev 2.00/1.00 addr 8
ucom0 at uslcom0 portno 0

To switch output to the USB console run

set system ports auxiliary port-type mini-usb

Manual configuration can now be handled from my from my OpenBSD router using

cu -l cuaU0

Configuring SSH

The next step is to establish network access using a management interface

set interfaces me0 unit 0 family inet address 192.168.0.7/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3

Optionally disable the alarm LED if this interface will only be used for unitial provisioning

set chassis alarm management-ethernet link-down ignore

Set accepted cypers

set system services ssh hostkey-algorithm ssh-ed25519

Add users

set system login user eradman class super-user
set system login user eradman authentication ssh-ed25519 "ssh-ed25519 key..."

Once we have settled on a network design we can bring up a layer 3 interface and assign an IP address that is accessible on a VLAN instead

set interfaces irb unit 80 description wired-network
set interfaces irb unit 80 family inet address 192.168.0.7/24

Upgrading JunOS

> show version
> request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz reboot

Or if there isn't enough space

> request system software add http://192.168.0.11/junos-arm-32-18.2R3-S5.3.tgz force unlink no-copy

UPnP

Clients such as Tailscale, or video call applications will try to use 5351 to enable point-to-point communication. This can be set on each routing interface or globally

set forwarding-options helpers port 5351 server 192.168.0.3

Router Uplink

First we'll define the vlans on the switch

# juniper/ex2300-c

set vlans vlan80 description wired
set vlans vlan80 vlan-id 80
set vlans vlan80 l3-interface irb.80

set vlans vlan81 description wireless
set vlans vlan81 vlan-id 81
set vlans vlan81 l3-interface irb.81

Set interfaces to trunk mode to accept 802.1q frames

edit interfaces ge-0/0/0
  set description "Uplink to router"
  edit unit 0 family ethernet-switching
    set interface-mode trunk
    set vlan members vlan80
    set vlan members vlan81
  exit
exit

Aggregate Links

Tagged or untagged interfaces may be set up for redundancy

set interfaces ge-0/0/10 ether-options 802.3ad ae0
set interfaces ge-0/0/11 ether-options 802.3ad ae0

edit interfaces ae0
  set description "apu4d2 em0,em1"
  aggregated-ether-options lacp active
  edit unit 0 family ethernet-switching
      set interface-mode access
      set vlan members vlan80
      set vlan members vlan81
    exit
  exit
exit

POE

JunOS is far more adaptable to configuration management than most switches since changes stage before committing. Another feature is the ability to clear a section using delete to ensure the entire category has been redefined

delete poe
set poe interface ge-0/0/6
set poe interface ge-0/0/7

Routed VLANs

By assigning an IP address to each VLAN L3 interface traffic can be routed between LANs on the switch.

set interfaces irb unit 80 family inet address 192.168.0.7/24
set interfaces irb unit 81 family inet address 192.168.1.7/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.0.3

To take advantage of the routed VLAN interfaces, adjust the default gateway for each subnet

# /etc/dhcpd.conf
subnet 192.168.0.0 netmask 255.255.255.0 {
  option routers 192.168.0.7;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
  option routers 192.168.1.7;
}

SRX Series

Juniper SRX firewalls can also be used as a switch by enabling packet mode

delete security
edit security forwarding-options family
  set iso mode packet-based
  set inet6 mode packet-based
  set mpls mode packet-based
exit

Alarm Status

If the alarm light is on, the system may be missing a last-known-working configuration, or the recovery partition may not be ready. Use show system alarms to show known issues.

# mirror state
request system configuration rescue save
request system autorecovery state save

Links

fs.com has everything need to assemble tidy cabling and are very easy to use:

• 1U 24 Ports Cat6 Unshielded Feed-Through High Quality Patch Panel
• Cat6 RJ45 (8P8C) Unshielded Toolless Keystone Jack Module
• 3ft (0.9m) Cat6 Snagless Unshielded (UTP) PVC CM Slim Ethernet Network Patch Cable, White